DEV Community

Dipali Kulshrestha
Dipali Kulshrestha

Posted on

IAM Fundamentals

#beginners #tutorial #aws #security

3. IAM Fundamentals (Core Concepts)

IAM Components
Component Purpose
User Human or application identity
Group Collection of users
Role Assumed identity with temporary credentials
Policy Permissions document (JSON)

Authentication vs Authorization

Authentication: Who are you?
Authorization: What are you allowed to do?

4. IAM Policies – Deep Dive

Policy Types

  • AWS Managed Policies
  • Customer Managed Policies
  • Inline Policies

Policy Structure (JSON)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "*"
}
]
}

Key Elements Explained

Effect: Allow / Deny

Action: API calls

Resource: ARN

Condition (advanced, optional)

Tip: Explicit Deny always wins.

5. IAM Best Practices

Security Best Practices

  • Least privilege
  • Use roles instead of long-term credentials
  • Enable MFA
  • Rotate credentials
  • Use managed policies where possible

What NOT to Do

❌ Hardcode access keys in code
❌ Use IAM users for EC2/Lambda
❌ Share credentials

6. IAM Roles

What is an IAM Role?

  • An identity assumed temporarily
  • Uses STS (Security Token Service)
  • No permanent credentials

Common Role Use Cases

  • EC2 accessing S3
  • Lambda accessing DynamoDB
  • Cross-account access
  • CI/CD pipelines

Trust Policy vs Permission Policy

Trust policy: Who can assume the role

Permission policy: What the role can do

Hands-On Labs (Step-by-Step)

Lab: Create IAM Users and Groups

Objective

Create a developer IAM user with controlled permissions.

Steps

  1. Login as root / admin
  2. Open IAM Console
  3. Create Group: Developers
  4. Attach policy: AmazonS3ReadOnlyAccess
  5. Create IAM User with Access type: Console + Programmatic
  6. Add user to Developers group
  7. Enable MFA for the user
  8. Test login

Validation

  • User can list S3 buckets
  • User cannot create EC2 instances

Lab: Create and Test IAM Role for EC2

Objective

Allow EC2 instance to access S3 without access keys.

Steps

  1. Create IAM Role
  2. Trusted entity: EC2
  3. Attach policy: AmazonS3ReadOnlyAccess
  4. Launch EC2 instance
  5. Attach role during launch
  6. SSH into EC2
  7. Run: aws s3 ls

Expected Result
S3 list works without configuring credentials

Detailed steps

9. Common Developer IAM Scenarios

Lambda → DynamoDB

ECS task → SQS

CI/CD pipeline → CloudFormation

Cross-account role for deployment

Tie these back to roles, not users.

Top comments (0)